ZCSPM
Configuring the ZCSPM Agent for Google Kubernetes Engine
ZCSPM provides an agent that can be installed on your Google Kubernetes Engine (GKE) cluster to support the security policies listed in the CIS GKE K8s v1.5.1 benchmark. The agent is container-based and is deployed as a cronjob in your Kubernetes cluster. The agent will collect all necessary data which needs to be checked against the security policies listed in the CIS benchmark. To learn more, see GCP Security Policies.
You must be a License Admin to configure the ZCSPM agent.
Prerequisites
Before you begin setting up the ZCSPM agent, you need to:
- Install Google Cloud SDK.
- Install and set up kubectl.
- Install and set up Helm 3.0 or higher.
- Add ZCSPM Helm repo.
helm repo add zcspm https://charts.cloudneeti.com
- Verify the Helm repo addition using the following command:
helm repo list
- List the available ZCSPM Helm charts using the following command:
Closehelm search repo zcspm --versions
Configuring ZCSPM Agent
To configure the ZCSPM agent:
- 1. Associate your Kubernetes cluster with GCP in ZCSPM.
- On the ZCSPM Admin Portal, go to Configurations > Cloud Accounts.
- Expand GCP, and click Configure Account next to the cloud account which needs to be associated with your Kubernetes cluster.
- Click K8s Cluster Association from the drop-down menu, then click Associate Cluster in the top right corner
- Enter the Kubernetes Cluster Name, select GKE from the Cluster Hosting drop-down menu, and click Save.
- The
zcspm-agent-config
JSON file will be downloaded. The JSON file has the information you need to deploy the ZCSPM agent in your Kubernetes cluster:- ZCSPM License ID
- ZCSPM Account ID
- Cluster Name
- ZCSPM Environment
- Cluster Hosting
- Along with the JSON file, you need the following information to deploy the ZCSPM agent:
- ZCSPM API Key
To generate the ZCSPM API Key:
- Sign up at the ZCSPM API portal.
- From the top navigation bar, go to PRODUCTS > Unlimited.
- Under Customer-Api, click Subscribe.
- Zscaler will then activate your subscription and send you an email confirmation.
- After you receive the email confirmation, click on your Username on the top right corner.
- Select your profile and click Show next to the Primary key.
- ZCSPM API App ID and Secret
To create a ZCSPM API application:
- On the ZCSPM Admin Portal, select the License from the drop-down menu in which you want to create a ZCSPM API application.
- Go to Configurations > API Access.
- Click Create API Application in the top-right corner.
- Enter the API Application Name, and select APIs from the drop-down menu.
- Select the Account.InsertKubernetesClusterData from the APIs Scope drop-down menu, choose the Token Expiry duration from the drop-down menu.
- Set the Secret Expiry date and click Save.
- From the pop-up menu, copy the API Application Secret and click Done.
- Copy the API Application ID.
- ZCSPM API Key
- 2. Deploy the ZCSPM agent on your cluster.
To deploy the ZCSPM agent on your cluster:
- Access the Kubernetes cluster using the following command:
gcloud container clusters get-credentials <Cluster-Name> --zone <Cluster-Zone> --project <ProjectID>
- Deploy the ZCSPM agent on the Kubernetes cluster using the following command:
helm install <release-name> zcspm/zcspm-agent ` --set clusterName=<cluster-name-as-onboarded-on-zcspm> ` --set licenseId=<zcspm-license-id> ` --set accountId=<zcspm-account-id> ` --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> ` --set zcspmApiAppId=<api-app-id> ` --set zcspmAPIKey=<zcspm-apimgmt-key> ` --set zcspmAPIAppSecret=<api-app-secret> ` --set clusterHosting="GKE"
If you are using VPC Service Controls, ensure they are appropriately configured for GKE clusters.
Close - 3. Verify ZCSPM agent installation.
To verify the ZCSPM agent installation:
- Verify the namespace using the following command:
kubectl get namespace
NAME STATUS AGE zcspm Active 11m default Active 15d kube-node-lease Active 15d kube-public Active 15d kube-system Active 15d
- Verify the ZCSPM agent cronjob deployment using the following command:
kubectl get cronjob --namespace zcspm
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE zcspm-agent 0 12 * * * False 0 <none> 18h
- Trigger the cronjob using the following command:
kubectl create job <job-name> --from=cronjobs/zcspm-agent --namespace zcspm
job.batch/sanity created
- Get jobs using the following command:
kubectl get job --namespace zcspm
NAME COMPLETIONS DURATION AGE zcspm-agent 1/1 16s 2m12s
- Verify the job logs of the ZCSPM agent using the following command:
kubectl get pods --selector job-name=<job-name> --namespace zcspm
NAME READY STATUS RESTARTS AGE sanity-2jkfc 0/2 Completed 0 46s
- Get the ZCSPM agent pod and verify the data was successfully sent to ZCSPM using the following command:
Closekubectl logs <ZCSPM agent pod name> -c zcspm-agent --namespace zcspm
- 4. Verify CIS Kubernetes v1.5.1 benchmark's security policy results.
If the agent was installed successfully, you can view the policy results on ZCSPM. To view:
- On the ZCSPM Admin Portal, go to Dashboard > Compliance.
- Click CIS GKE K8s v1.5.1.
Upgrading the ZCSPM Agent
Whenever ZCSPM releases a new agent version, you can upgrade your agent to the latest version using Helm. To upgrade the ZCSPM agent:
- Update the ZCSPM Helm repository using the following command:
helm repo update
- Upgrade the ZCSPM agent using the following command:
helm upgrade <release-name> zcspm/zcspm-agent --reuse-values
Updating the ZCSPM Agent parameters
You can update individual agent parameters such as API key using the following command:
helm upgrade <release-name> zcspm/zcspm-agent --set <parameter-to-update>=<value> --reuse-values
Roll back the ZCSPM agent to a previous version
If you face any issue with the newly upgraded ZCSPM agent, you can always roll back to a previous version of the agent using the following command:
helm rollback <release-name>
Offboarding your Kubernetes cluster
To offboard your Kubernetes cluster:
- Disassociate your Kubernetes cluster from ZCSPM:
- Go to Configurations > Cloud Accounts.
- Expand any one of the cloud service providers.
- Click Configure Account for the cloud account which is associated with your Kubernetes cluster.
- Click K8s Clusters Association.
- Click the Delete icon to disassociate your Kubernetes cluster from ZCSPM.
- Delete the ZCSPM Agent from your Kubernetes cluster:
- Connect to your Kubernetes cluster.
- List down the Helm releases associated with the ZCSPM agent using the following command:
helm list
- Delete the cluster using the following command:
helm delete <release-name>